jdev0741
jdev0741

Reputation: 11

using wss4jsecurityinterceptor for spring security- Configuring securement for signature and encryption with two keys

I am trying to add interceptors for securing spring-ws by reading this tutorial at https://memorynotfound.com/spring-ws-certificate-authentication-wss4j/

I need to use two seperate public-private keys (one for signing,second for encryption) in a single keystore(server.jks- file).But i am not able to configure the security interceptor.

It works fine as in example if use a single keystore , but how should i set the following when seperate keys for signing and encryption

@Bean
public KeyStoreCallbackHandler securityCallbackHandler(){
    KeyStoreCallbackHandler callbackHandler = new KeyStoreCallbackHandler();
    callbackHandler.setPrivateKeyPassword("changeit");
    return callbackHandler;
}

@Bean
public Wss4jSecurityInterceptor securityInterceptor() throws Exception {
    Wss4jSecurityInterceptor securityInterceptor = new Wss4jSecurityInterceptor();

    // validate incoming request
    securityInterceptor.setValidationActions("Timestamp Signature Encrypt");
    securityInterceptor.setValidationSignatureCrypto(getCryptoFactoryBean().getObject());
    securityInterceptor.setValidationDecryptionCrypto(getCryptoFactoryBean().getObject());
    securityInterceptor.setValidationCallbackHandler(securityCallbackHandler());

    // encrypt the response
    securityInterceptor.setSecurementEncryptionUser("client-public");
    securityInterceptor.setSecurementEncryptionParts("{Content}{https://memorynotfound.com/beer}getBeerResponse");
    securityInterceptor.setSecurementEncryptionCrypto(getCryptoFactoryBean().getObject());

    // sign the response
    securityInterceptor.setSecurementActions("Signature Encrypt");
    securityInterceptor.setSecurementUsername("server");
    securityInterceptor.setSecurementPassword("changeit");
    securityInterceptor.setSecurementSignatureCrypto(getCryptoFactoryBean().getObject());

    return securityInterceptor;
}

@Bean
public CryptoFactoryBean getCryptoFactoryBean() throws IOException {
    CryptoFactoryBean cryptoFactoryBean = new CryptoFactoryBean();
    cryptoFactoryBean.setKeyStorePassword("changeit");
    cryptoFactoryBean.setKeyStoreLocation(new ClassPathResource("server.jks"));
    return cryptoFactoryBean;
}

For encryption we have the method setSecurementEncryptionUser, but how do we configure setValidationDecryptionCrypto and setValidationSignatureCrypto with the alias to decrypt/validate

Upvotes: 1

Views: 4327

Answers (1)

hin522
hin522

Reputation: 59

Could you try having 2 securityInterceptor with 2 keystores? One for signature and one for encryption. Then add both interceptors to the list of interceptors.

@Override
public void addInterceptors(List<EndpointInterceptor> interceptors) {
    try {
        interceptors.add(signatureSecurityInterceptor());
        interceptors.add(encryptionSecurityInterceptor());
    } catch (Exception e) {
        throw new RuntimeException("could not initialize security interceptor");
    }
}

Upvotes: 0

Related Questions